Blue Team-System Live Analysis [Part 11]- Windows: User Account Forensics- NTUSER.DAT Rules, Tools, Structure, and Dirty Hives!

NTUSER.DAT, netuser.dat.LOG1 and netuser.dat.LOG2 extracted from a test system using FTK Imager
  • Secondary sequence number: This number incremented by 1 when the write operation on NTUSER.DAT ends.
Dirty NTUSER.DAT opened with Hex Editor.
Clean NTUSER.DAT opened with Hex Editor.
Reg Commands for NTUSER.dat Analysis
reg load HKLM\sechub d:\sechub\NTUSER.dat
NTUSER.dat Loaded into HKLM\sechub
reg query HKLM\sechub
and
reg query HKEY_LOCAL_MACHINE\sechub\Environment
Retrieve the Information from Loaded NTUSER.DAT using Reg Query Command
Unload NTUSER.dat from Registry
Retrieve the Information from Loaded NTUSER.DAT using RegRipper
The RegRipper Report Sample
Registry Explorer and RECmd
Load NTUSER.DAT Hive
Dirty Hive Warning
Replay Transaction Logs
Select ntuser.dat.LOG1 and ntuser.dat.LOG2
Save the Updated Hive
Save the Updated Hive File
Load the Updated Hive
Load the Old (Dirty) hive
The Dirty and Clean NTUSER.DAT Loaded in Registry Explorer

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store